TJX Cos. and New England banks said today they have agreed to settle a high-profile lawsuit over payment card security practices in the wake of the record-setting data breach at the Framingham retailer that compromised as many as 100 million accounts.
TJX, the parent of discount retail chains including T.J. Maxx and Marshalls, will pay community banks and trade groups in Massachusetts, Connecticut, and Maine a portion of their legal expenses.
More specifics weren't disclosed, but the deal won't add to the $256 million in total spending TJX previously had budgeted to deal with the breach, a spokeswoman said today. In addition to settling with the banks, the figure is meant to cover previous settlements with payment card company Visa International Inc. for up to $40.9 million in costs, and with a class of consumers.
TJX still faces claims from an Alabama bank and investigations by federal and state officials over the breach. But Mary Monahan, partner of Javelin Strategy & Research in California, said the deal amounts to a relative win for TJX and one that was no surprise after a decision by a federal district court judge made it harder for the banks to join together to sue TJX as a class.
"Once that happened, it became too expensive for the banks to continue on this route," she said.
Both sides said they were pleased with the outcome. Banks led by the Massachusetts Bankers Association had filed their suit in the spring as the extent of the data breach became clear, seeking to cover costs such as reissuing compromised cards.
TJX found illicit software on its systems at the end of last year, and Canadian privacy officials later tied the intrusion to a weakness in the company's wireless security systems dating back as far as 2005.
Although officials have won convictions against individuals in Florida and elsewhere for misusing the stolen card numbers to buy goods, to date no individual has been charged with the intrusion itself.
The bankers alleged that TJX was negligent in not maintaining stricter data security, and unearthed various documents that showed the company wasn't meeting industry security standards and had caused Visa to issue fines.
TJX had fought back, however, arguing its security was similar to other retailers and noting that only recently have a majority of large merchants met payment card security rules.
As part of today's deal, the bankers are recommending their members accept the repayments Visa is offering under the terms of its deal with TJX.
In statements today both sides said they hope the deal with improve overall security. "The TJX experience underscores broader challenges facing the US payment card system that require urgent action," said Carol Meyrowitz, TJX chief executive, in a statement. Daniel Forte, president of the Massachusetts Bankers Association, said the case was worth pursuing to show weaknesses in the payment system.
"This data breach and the ensuing litigation have clearly initiated an important nationwide dialogue on the importance of improving the security of the US payment card system," he said.
Ross Kerber can be reached at email@example.com.